FWIW we evaluated Cuckoo as well for Zcash, and it was a strong second-place contender. There wasn't really anything wrong with it — it just didn't seem to have quite as much of a rigorous scientific analysis as Equihash. However, that is a very subjective thing for me to say. You could argue (and Cuckoo's author, John Tromp, does argue persuasively) that Cuckoo's history of analysis and refinement is better than Equihash's.

What about cycling through 10 unique PoWs every 10 blocks?

I'm not the best at discrete analysis and understand this multiplies attack surface 10-fold, but could we splinter miners into small, specialized, and de-fanged factions using 10 different well-chosen hash algorithms, then scatter them among CPUs/GPUs/FPGAs/ASICs?

DeSantis has started some work (he wants to do some testing before posting his source code for peer review though).He's creating a Keccak fork and a Cuckoo fork, and has created a beautiful automated testing utility that I hope he gives me permission to link to you guys.

The testing utility (I've viewed the source, it's not vaporware) allows you to spin up multiple Docker containers, each containing a different Bitcoin node; some of the nodes can be Bitcoin 0.14.0, some of them can be Bitcoin Unlimited, and some of them can be Keccak, Cuckoo, etc.

With these containerized Bitcoin nodes, you can then simulate various forking scenarios, and actually observe in real-time how it plays out. With my limited bitcoin programming knowledge, I am waiting for him to document the config file that controls the node counts & types, and to create some python installation script (which are easier to debug for me at least).

There are several developers working on PoW changes already , but what we need is proper peer review testing and a big bounty for this work. I am willing to donate btc and help fund raise for this , but we need 3 trustworthy an public people to handle the funds. Who is interested or who should we ask to get this started?

The "public" stipulation may be difficult to satisfy. Irrespective of how much support we can build, whoever accepts an escrow role is sticking their head above the parapets rather significantly (Bitfury have already threatened legal action against PoW changes, although against who is undetermined I believe)

Can the several developers not present their designs, rates and also addresses to donate to?

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256

Hi devs, can you all send your nominations for who the most credible individuals are for managing an m-of-n account (for holding the PoW bounty's reward funds)?

2) Once all the nominations are received, I will make one big post containing all of the signed emails (unless the sender wishes to remain anonymous due to fear of BitfuryGeorge).

3) We reach out to the agreed upon individuals, inviting them to become custodians of the multisig address and requesting a public BTC address (for which they control the private key) from each of them.

4) Create the multisig address, notify the new custodians of the account.-----BEGIN PGP SIGNATURE-----Version: GnuPG v2

What's the rationale for making the mini-blocks 10 per legacy block? I'm thinking of the orphan rate.

In order to keep the two chains in sync and ensure that the new PoW hash power is always working, the new PoW miners can assemble the next proto-block from mini-blocks and mine it only after legacy miners have mined and broadcast the current block. The period while the new PoW miners are mining the proto-block is downtime for the legacy miners; their hash power is going to waste. In order to minimize this downtime, we need a fast confirmation time for the new PoW. One minute isn't too extreme, actually, if we consider Ethereum's 20-second confirmation time.

I'm also unconvinced about a "years" timeframe. I would propose 1 year, where the interval between the 5% steps starts at close to infinity increase for the 5-10% part, and gradually increases the interval between steps (like an exponential curve inverted about x=y, is that the cosine curve?)

Going faster to begin with should help to attract hashing power to newPoW, and in turn dissuade the BU miners from even attempting the various attacks they have no doubt developed. The "long tail" will gradually contribute to calming what would inevitably be a very febrile atmosphere surrounding the initial 5% change (the accompanying FUD would no doubt be typically disproportionate)

It's a tradeoff. Yes, transitioning faster would attract more new PoW miners. So would giving them a larger share of the block reward at the beginning, say 10%.

On the other hand, since this is "non-hostile" fork proposal that seeks to gain broad community consensus, we don't want to alienate legacy miners by turning their hardware into scrap metal too quickly. This is why I would prefer to err on the side of an overly long phase-out period rather than an overly short one. A linear phase-out is preferable to an exponential one for the same reason.

As for attacks, non-upgraded miners may attempt to attack the chain to fool non-upgraded nodes, but this is a risk for any SF. We just have to rely on having most economic nodes upgraded by flag day.

Thats what I think. My next question for that would be, wont it make the network open to attacks if the difficulty suddenly drops low? The idea might be good on paper but its really only complicating matters. Best to come with a new POW algorithm that uses less energy.

wont it make the network open to attacks if the difficulty suddenly drops low?

Not really. Until it stabilizes, my expectation would be that you would just need to wait for more confirms before you can be assured that the chain you've put a transaction in hasn't been orphaned. Now 6, perhaps as high as 20. When lightning is available, I don't think that's really that much of an issue.

With enough asics a group of miners could offer/sell an alternative to SWIFT for banks?

The group could settle a secret agreement with some banks to raise a few billion US$ for their hash capacity (they would have to leave bitcoin).They would need something like 40% to 50% of bitcoin hash rate to avoid attacks (Bitcoin unlimited is in almost 40%?). They would have to keep building asics to keep hash capacity in bitcoin level. Or build even more.Them we would live in a world with 2 major coins. Both only vulnerable to each other hash capacity.The miner (banks backed) would have lot of budget to keep pumping asics until bitcoin is forced to change POW or other mitigation strategy.The group would guarantee its future in asics manufacturing and operations and would ´t care if bitcoin fails. Quick $ with low risk. As it would have a signed contract with major banks to back them.Actually this group of miners would gain with bitcoin suffering.Banks could have a chance to have its own SWIFT and damage bitcoin considerably, gaining more time for their fiat party, with very low costs for them(comparing to acquisitions we are seeing today and the SWIFT value) .

If you are bold, you can have the sequence of leading bits to check to be dependant on the trailing bits of the previous block.

I love this one.

Like you said, but an extension of what you suggest, have the check-bits being searched for as a function of the previous mined block. Instead of searching for 00000000000 starting at nth 0, search for 76436753432 at nth 7. Or that at 21, going backwards. 21/20/19/18/etc. Or pick the Xth prime, and skip the Yth prime of each element, where the primes used is a function of the hash of the previous block.

Introduce them as a randomized instantiation. ~10/1000 is this new 'format'. Then, after 1000, it's ~20/1000. Have a new difficulty setting for these new elements. Who cares if you get a virtually instantaneous block reward for 10/1000. No different than chance happening for that normally. By the time that it got to 100/1000 there would be an entirely new set of miners, on an entirely new set of difficulty settings.

It doesn't punish the miners that are currently mining in an untoward manner. It gives them an acceptable return on their existing hardware. That would account for a two year rollover.

Then, let the miners know that the same thing is going to happen again in two years.

It de-incentivizes hardware solutions, but doesn't kill them. I'm not sure this solve the long-term problem of centralization though. While the prime thing is good, you want all of that calculation to be done by the miner, with the least amount effort you can come up with so that it can be validated. This just means that you could have relatively minor modification to the hash validation that current hardware wouldn't be designed for. I don't actually know how the ASIC's verify that a specific hash meets the requirements of validation. It might be as simple as updating a single variable within their hardware or software implementation. Instead of looking for "000000" look for "123456".

But the trade-off is this: allow a certain attack from a malicious actor or potentially allow cheaper-than-usual attacks from unknown actors temporarily.

Right now the mining cartel protects us from any other potential attackers in terms of hashing. Still, not an acceptable situation.

If theres a POW upgrade what will happen to the Chinese miners? Will it be possible for them to continue to mine using the old SHA256 and fork away from the upgraded POW algorithm? I think that would be a losing move for the current developers and the ones behind them.

But the trade-off is this: allow a certain attack from a malicious actor or potentially allow cheaper-than-usual attacks from unknown actors temporarily.

Right now the mining cartel protects us from any other potential attackers in terms of hashing. Still, not an acceptable situation.

If theres a POW upgrade what will happen to the Chinese miners? Will it be possible for them to continue to mine using the old SHA256 and fork away from the upgraded POW algorithm? I think that would be a losing move for the current developers and the ones behind them.

They can try to keep their fork alive but who wants to use a crypto completely dominated by 4 odd dudes from China? Maybe Roger and a few other lunatics? Win-win.

But the trade-off is this: allow a certain attack from a malicious actor or potentially allow cheaper-than-usual attacks from unknown actors temporarily.

Right now the mining cartel protects us from any other potential attackers in terms of hashing. Still, not an acceptable situation.

If theres a POW upgrade what will happen to the Chinese miners? Will it be possible for them to continue to mine using the old SHA256 and fork away from the upgraded POW algorithm? I think that would be a losing move for the current developers and the ones behind them.

They can try to keep their fork alive but who wants to use a crypto completely dominated by 4 odd dudes from China? Maybe Roger and a few other lunatics? Win-win.

exactly!, who wants?i say Banks or SWIFT!!imagine a new SWIFT based in sha256. As secure as bitcoins(because it would have a considerable hash capacity!), at least for now. 250millions usd$? its a bargain for a startup that aims to detrone SWIFT! People need to prepare , investigate this hyphotesis. we must be negotiating with people(BU miners) that are already out of bitcoin.Read my post , few posts below, for more info.

But the trade-off is this: allow a certain attack from a malicious actor or potentially allow cheaper-than-usual attacks from unknown actors temporarily.

Right now the mining cartel protects us from any other potential attackers in terms of hashing. Still, not an acceptable situation.

If theres a POW upgrade what will happen to the Chinese miners? Will it be possible for them to continue to mine using the old SHA256 and fork away from the upgraded POW algorithm? I think that would be a losing move for the current developers and the ones behind them.

They can try to keep their fork alive but who wants to use a crypto completely dominated by 4 odd dudes from China? Maybe Roger and a few other lunatics? Win-win.

That is your point of view yes, but what about the rest? Will they follow the people who can secure the network or will they follow the new POW upgrade and take the road less traveled? It will be a hard decision but I think the majority will follow the safer road.

That is your point of view yes, but what about the rest? Will they follow the people who can secure the network or will they follow the new POW upgrade and take the road less traveled? It will be a hard decision but I think the majority will follow the safer road.

If these people believe in security by being under a racket with full control over their currency, let them have their coin. I didn't need BTC for that.

AFAIC their presence is a liability, if they get to influence the decision process.

That is your point of view yes, but what about the rest? Will they follow the people who can secure the network or will they follow the new POW upgrade and take the road less traveled? It will be a hard decision but I think the majority will follow the safer road.

If these people believe in security by being under a racket with full control over their currency, let them have their coin. I didn't need BTC for that.

AFAIC their presence is a liability, if they get to influence the decision process.

By that I assume you mean the big Chinese miners. Wasnt the specialization of mining a part of the natural evolution of Bitcoin? There are some people who argue against the POW upgrade because they say they would preferably go with the ASIC miners than the botnet that hackers are known to be using.

By that I assume you mean the big Chinese miners. Wasnt the specialization of mining a part of the natural evolution of Bitcoin? There are some people who argue against the POW upgrade because they say they would preferably go with the ASIC miners than the botnet that hackers are known to be using.

I can understand the thought behind wanting to make this change and call me sentimental, but I don't think Satoshi would have wanted this for Bitcoin. Bitcoin still functions as it's supposed to as long as there's not a 51% attack and changing something for people's benefit is still just that.

There are some people who argue against the POW upgrade because they say they would preferably go with the ASIC miners than the botnet that hackers are known to be using.

Does that argument not favour a hashing algo that does work with GPUs/FPGAs? Is that even possible without the risk of an ASIC being developed?

The argument is about the developers who are proposing the POW upgrade shaking the cage too much. Its either theyre an opposition controlled by the miners or just your ordinary Bitcoiners who hate to change the status quo.